1、卸载firewalld
yum -y remove firewalld
2、安装iptables
yum install -y iptables
3、编写iptables规则
# vi /etc/iptables.sh #!/bin/sh #declare variables IPTABLES=/usr/sbin/iptables ETHI=eth0 ETHO=eth1 #clear all policy $IPTABLES -F #the policies for loopback $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT #the policies for private network $IPTABLES -A INPUT -i $ETHI -s 10.173.3.29 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.173.10.188 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.173.10.145 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.173.28.173 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.162.211.124 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.173.11.107 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -s 10.162.208.176 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.173.3.29 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.173.10.188 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.173.10.145 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.173.28.173 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.162.211.124 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.173.11.107 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.162.208.176 -j ACCEPT #the policies for monitor $IPTABLES -A INPUT -i $ETHI -s 10.242.174.13 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -d 10.242.174.13 -j ACCEPT #for DNS request $IPTABLES -A INPUT -i $ETHI -p udp -s 10.202.72.118 --sport 53 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p udp -s 10.202.72.116 --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -p udp -d 10.202.72.118 --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $ETHO -p udp -d 10.202.72.116 --dport 53 -j ACCEPT #the policies for public network $IPTABLES -A OUTPUT -o $ETHO -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $ETHI -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p icmp -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p tcp --dport 25234 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p tcp --dport 80:88 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -i $ETHI -p tcp -s 101.36.94.174 --dport 1055 -j ACCEPT #the logs recode $IPTABLES -A INPUT -i $ETHI -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " $IPTABLES -A INPUT -i $ETHI -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " $IPTABLES -A OUTPUT -o $ETHO -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: " $IPTABLES -A OUTPUT -o $ETHO -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: " #all the other requests will be drop $IPTABLES -A INPUT -j DROP $IPTABLES -A FORWARD -j DROP $IPTABLES -A OUTPUT -j DROP # chmod +x /etc/iptables.sh
4、创建iptable日志记录文件
# touch /var/log/iptable.log # vi /etc/rsyslog.conf 在最后一行添加 kern.warning /var/log/iptables.log # systemctl restart rsyslog